Systems and methods for using JWTs for information security

ABSTRACT

Systems and methods for using JavaScript Object Notation (JSON) Web Tokens for information security for a particular software-controlled application are disclosed. Exemplary implementations may: store information electronically, including different types of client-provided information, hardware information, key information, and permission information; provide individual JWTs that include individual expiration dates to individual users; receive a user request for continued access and/or use of the particular software-controlled application; perform different types of (automated) verification based on the client-provided information in the user request; and, responsive to particular results from the different types of verification, perform some combination of transferring a response to the user request and accepting or denying continued access and/or use of the particular software-controlled application.

FIELD OF THE DISCLOSURE

The present disclosure relates to systems and methods for using JWTs forinformation security for one or more software-controlled applications.

BACKGROUND

Using password protection for authorization of access tosoftware-controlled applications is known. Using JavaScript ObjectNotation (JSON) Web Tokens (JWTs) for certain communications betweencomputing devices is known.

SUMMARY

One aspect of the present disclosure relates to a system configured forusing JWTs for information security for a particular software-controlledapplication. As used herein, the term “software-controlled application”may refer to both (i) applications that are entirely software based,including but not limited to enterprise software, peer-to-peer software,and/or other types of software applications, and (ii) applications wherea software component or a software layer is used to control a hardwareapplication, including but not limited to code signing certificates,encrypted hard drives, security-enabled equipment, and/or other hardwareapplications that may be controlled by software. As used herein, theterm “authorization credential” may refer to a license, such as asoftware license. The system may include electronic storage, one or morehardware processors configured by machine-readable instructions, and/orother components. The electronic storage is configured to storeinformation electronically, including different types of client-providedinformation, hardware information, key information, and permissioninformation. The one or more hardware processors are configured toprovide individual JWTs that include individual expiration dates toindividual users. The one or more hardware processors are configured toreceive (regularly and/or at recurring intervals) a user request forcontinued access and/or use of the particular software-controlledapplication. The one or more hardware processors are configured toperform different types of (automated) verification based on theclient-provided information in the user request. The one or morehardware processors are configured to, responsive to particular resultsfrom the different types of verification, perform some combination oftransferring a response to the user request and accepting or denyingcontinued access and/or use of the particular software-controlledapplication.

Another aspect of the present disclosure relates to a method for usingJWTs for information security for a particular software-controlledapplication. The method includes storing information electronically,including different types of client-provided information, hardwareinformation, key information, and permission information. The methodincludes providing individual JWTs that include individual expirationdates to individual users. The method includes receiving (regularlyand/or at recurring intervals) a user request for continued accessand/or use of the particular software-controlled application. The methodincludes performing different types of (automated) verification based onthe client-provided information in the user request. The method mayinclude, responsive to particular results from the different types ofverification, performing some combination of transferring a response tothe user request and accepting or denying continued access and/or use ofthe particular software-controlled application.

As used herein, any association (or relation, or reflection, orindication, or correspondency) involving servers, processors, clientcomputing platforms, devices, JWTs, requests, different types ofinformation, different types of verification, presentations, userinterfaces, user interface elements, determinations, responses, and/oranother entity or object that interacts with any part of the systemand/or plays a part in the operation of the system, may be a one-to-oneassociation, a one-to-many association, a many-to-one association,and/or a many-to-many association or “N”-to-“M” association (note that“N” and “M” may be different numbers greater than 1).

As used herein, the term “obtain” (and derivatives thereof) may includeactive and/or passive retrieval, determination, derivation, transfer,upload, download, submission, and/or exchange of information, and/or anycombination thereof. As used herein, the term “effectuate” (andderivatives thereof) may include active and/or passive causation of anyeffect, both local and remote. As used herein, the term “determine” (andderivatives thereof) may include measure, calculate, compute, estimate,approximate, extract, generate, and/or otherwise derive, and/or anycombination thereof.

These and other features, and characteristics of the present technology,as well as the methods of operation and functions of the relatedelements of structure and the combination of parts and economies ofmanufacture, will become more apparent upon consideration of thefollowing description and the appended claims with reference to theaccompanying drawings, all of which form a part of this specification,wherein like reference numerals designate corresponding parts in thevarious figures. It is to be expressly understood, however, that thedrawings are for the purpose of illustration and description only andare not intended as a definition of the limits of the invention. As usedin the specification and in the claims, the singular form of “a”, “an”,and “the” include plural referents unless the context clearly dictatesotherwise.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 illustrates a system configured for using JavaScript ObjectNotation (JSON) Web Tokens for information security for a particularsoftware-controlled application, in accordance with one or moreimplementations.

FIG. 2 illustrates a method for using JavaScript Object Notation (JSON)Web Tokens for information security for a particular software-controlledapplication, in accordance with one or more implementations.

FIGS. 3-4-5 illustrates exemplary flow charts as may be used in a systemconfigured for using JavaScript Object Notation (JSON) Web Tokens forinformation security for a particular software-controlled application,in accordance with one or more implementations.

FIG. 6 illustrates an exemplary user interface as may be provided tousers of a system configured for using JavaScript Object Notation (JSON)Web Tokens for information security for a particular software-controlledapplication, in accordance with one or more implementations.

DETAILED DESCRIPTION

FIG. 1 illustrates a system 100 configured for using JavaScript ObjectNotation (JSON) Web Tokens for information security forsoftware-controlled applications, in accordance with one or moreimplementations. Users may provide JWTs regularly and/or at recurringintervals to authentication and authorization platforms 105 as part ofuser requests to request continued access and/or use of a particularsoftware-controlled application. In some implementations, user requestsmay be referred to as (automated) client requests. Once a particularuser has been granted access, using JWTs provides a repeated check forauthentication and authorization, without requiring the particular userto repeatedly provide a user identifier and a password (or another typeof authorization). As used herein, the term “information security” mayrefer to software license management.

In some implementations, system 100 may include one or moreauthentication and authorization platforms 105, one or more clientcomputing platforms 104, one or more servers 102, electronic storage130, one or more processors 132, one or more user interfaces 125,external resources 138, and/or other components. Authentication andauthorization platforms 105 and server(s) 102 may be configured tocommunicate with one or more client computing platforms 104 according toa client/server architecture and/or other architectures. Clientcomputing platform(s) 104 may be configured to communicate with otherclient computing platforms via server(s) 102 and/or according to apeer-to-peer architecture and/or other architectures. Users 127 mayaccess system 100 via client computing platform(s) 104. In someimplementations, individual ones of users 127 may be associated withindividual client computing platforms 104. For example, a first user maybe associated with a first client computing platform 104, a second usermay be associated with a second client computing platform 104, and soforth. In some implementations, individual user interfaces 125 may beassociated with individual client computing platforms 104. For example,a first user interface 125 may be associated with a first clientcomputing platform 104, a second user interface 125 may be associatedwith a second client computing platform 104, and so forth.

Server(s) 102 may be configured by machine-readable instructions 106.Machine-readable instructions 106 may include one or more instructioncomponents. The instruction components may include computer programcomponents. The instruction components may include one or more of astorage component 108, a request component 110, an extraction component111, a verification component 112, a registration component 114, anassignment component 116, a token component 117, a response component118, a de-registration component 120, a login component 122, a recordingcomponent 123, an interface component 124, an access component 126, atiming component 128, and/or other instruction components. Electronicstorage 130 a may be similar to electronic storage 130, though includedin client computing platforms 104. Processors 132 a may be similar toprocessors 132, though included in client computing platforms 104.Machine-readable instructions 106 a may be similar to machine-readableinstructions 106, though included in client computing platforms 104.

Storage component 108 may be configured to store informationelectronically, e.g., in electronic storage 130. In someimplementations, stored information may be indexed, organized,structured, and/or otherwise searchable. For example, the storedinformation may include tables, databases, relational databases, and/orother types of structural data storage. In some implementations, thestored information may include user information that identifies a set ofauthorized users that are authorized to access and/or use one or moresoftware-controlled applications. In some implementations, the storedinformation may include registered hardware information that identifiesa set of registered client computing platforms that have been registeredto access and/or use one or more software-controlled applications. Insome implementations, the stored information may include registered keyinformation that identifies a set of registered keys for encryptionand/or decryption that have been registered to access and/or use one ormore software-controlled applications. As used herein, the term “publickey” may include public keys, private keys, and/or other keys used forencryption and/or decryption of information. In some implementations,the stored information may include revoked key information thatidentifies a set of revoked keys for encryption and/or decryption thatare no longer registered to access and/or use one or moresoftware-controlled applications. For example, in some implementations,individual ones of the set of revoked keys for encryption and/ordecryption may correspond to previously-registered client computingplatforms that have been reported stolen or missing. In someimplementations, the stored information may include assigned permissioninformation that identifies a set of assigned authorization credentialsthat have been assigned to specific users and specific client computingplatforms. Individual ones of the set of authorization credentials maybe associated with individual expiration dates. In some implementations,the stored information may include revoked permission information thatidentifies a set of revoked authorization credentials that are no longerassigned for access and/or use of one or more software-controlledapplications. In some implementations, the stored information mayinclude available permission information that identifies a set ofavailable authorization credentials that are available to be assigned toa specific user and a specific client computing platform. In someimplementations, the stored information may include informationregarding previously issued JWTs and/or JWTs that have been previouslyused to request continued access and/or use of one or more particularsoftware-controlled applications.

In some implementations, the stored information may include permissioninformation regarding authorization credential pools. For example, aparticular pool or set or number of authorization credentials may bedesignated for a particular group of users. As long as the particularpool is not exhausted and/or otherwise fully assigned to group members,another user from the group may automatically be authenticated and/orauthorized by system 100 such that an available authorization credentialis assigned to this user. In some implementations, upon an authorizationcredential being newly assigned to a particular user, a new JWT may becreated and provided to this particular user, to be used for futurerequests for continued access and/or use of a particularsoftware-controlled application. Individual JWTs may include a header, apayload, a (digital) signature, and/or other information. The signaturesecurely validates a JWT, and the integrity of the information in thepayload. In some implementations, individual JWTs use one or both ofJSON Web Signature and JSON Web Encryption.

Request component 110 may be configured to receive requests from users127. The requests may include login requests, user requests, (automated)client requests, and/or other requests. In some implementations, a loginrequest may request user-specific authentication to access and/or use aparticular software-controlled application. Alternatively, and/orsimultaneously, in some implementations, a login request may requestdevice-specific authorization to access and/or use a particularsoftware-controlled application. In some implementations, individuallogin requests may be both user-specific and device-specific.

In some implementations, a user request may request continued accessand/or use a particular software-controlled application. In someimplementations, a user request may request user-specific authenticationfor continued access and/or use a particular software-controlledapplication. Alternatively, and/or simultaneously, in someimplementations, a user request may request device-specificauthorization for continued access and/or use a particularsoftware-controlled application. In some implementations, individualuser requests may be both user-specific and device-specific.

In some implementations, requests may include one or more of a useridentifier that identifies a user, a hardware identifier that identifiesa particular client computing platform 104, a machine identifier thatidentifies a particular public key, and/or other information. Forexample, in some implementations, a request may include a password thatis provided by the user. For example, in some implementations, a requestmay include a device name that identifies a particular client computingplatform 104 (e.g., that is currently being used by the user to providethe request). In some implementations, requests may includeclient-provided information, including but not limited toclient-provided JWTs, client-provided expiration dates, client-providedmachine identifiers, client-provided hardware identifiers, and/or otherclient-provided information. In some implementations, some or all of theclient-provided information may be included in the payload of aclient-provided JWT. As used herein, the term “client-provided” mayrefer to information extracted by client-side software, or retrieved byclient-side software, and/or otherwise provided by a client computingplatform, on behalf of a user of a client computing platform, and/or bya user of a client computing platform.

In some implementations, hardware identifiers may be added to and/orprovided by individual client computing platforms 104 as part of arequest. For example, a hardware identifier may be a Media AccessControl (MAC) address, which may be supplied and/or otherwise providedby an individual client device. In some implementations, hardwareidentifiers may be a machine name, or may include a machine name, or maybe a combination of a MAC address and a machine name.

In some implementations, machine identifiers may identify a public keyused for Public Key Infrastructure (PKI). In some implementations, aparticular machine identifier may be (or include) a textualrepresentation of a public key and/or another (generated) certificate.In some implementations, a particular machine identifier may be (orinclude) a textual representation of a device fingerprint or machinefingerprint. For example, the particular machine identifier may includeinformation about the specific hardware and/or software of a particulardevice. In some implementations, a machine identifier may be created byhashing a certificate and/or public key.

Extraction component 111 may be configured to extract information fromrequests and/or JWTs. For example, extraction component 111 may extractone or more of a client-provided hardware identifier, a client-providedmachine identifier, a client-provided user identifier, a client-providedexpiration date, and/or other information from a particular request orJWT. For example, extraction component 111 may extract information fromthe payload of a particular (client-provided) JWT.

Verification component 112 may be configured to perform different typesof verifications. Verifications may be performed in response to (orsubsequent to) receiving particular requests, including login requestsand user requests. Verifications may be based on information included inparticular requests, including but not limited to user identifiers,hardware identifiers, machine identifiers, JWTs, and/or other(client-provided) information. The different types of verifications mayinclude one or more of user-identifier verifications,hardware-identifier verifications, machine-identifier verifications,machine-revocation verifications, assignment verifications,authorization credential-revocation verifications, expirationverifications, authorization credential-availability verifications,token-validation verifications, and/or other types of verifications. Insome implementations, a subset of these different types of verificationsmay be used to verify automatically whether a particular authorizationcredential has been assigned to a particular user. Alternatively, and/orsimultaneously, in some implementations, a subset of these differenttypes of verifications may be used to automatically assign an availableauthorization credential (e.g., from an authorization credential pool)to a particular user. Alternatively, and/or simultaneously, in someimplementations, a subset of these different types of verifications maybe used to accommodate an existing user requesting access to aparticular software-controlled application using a new device (e.g., ifan authorization credential was previously assigned to the existing userfor a different device). Alternatively, and/or simultaneously, in someimplementations, a subset of these different types of verifications maybe used to handle a stolen, missing, or defective device (e.g., toensure a previously assigned authorization credential is revoked so theold device will not have access to a particular software-controlledapplication and/or will not continue to use an authorization credentialthat might otherwise be available). Alternatively, and/orsimultaneously, in some implementations, a subset of these differenttypes of verifications may be used to accommodate an existing userrequesting continued access and/or use of a particularsoftware-controlled application.

In some implementations, user-identifier verifications may be performedby verification component 112 to verify whether a particular useridentifier (e.g., the user identifier in a particular login request)corresponds to one of the user identifiers in the set of authorizedusers (e.g., as included in the stored information). In someimplementations, one or more types of verifications may be performed bycomparisons between different items of information. For example,user-identifier verification may be performed by comparing theparticular user identifier with each of the authorized users in thestored information.

In some implementations, hardware-identifier verifications may beperformed by verification component 112 to verify whether a particularhardware identifier (e.g., the hardware identifier provided in aparticular request) corresponds to one of the hardware identifiers inthe set of registered client computing platforms (e.g., as included inthe stored information). In some implementations, verification mayinclude comparisons and/or look-ups of stored information.

In some implementations, machine-identifier verifications may beperformed by verification component 112 to verify whether a particularmachine identifier (e.g., the machine identifier provided in aparticular request) corresponds to one of the machine identifiers in theset of registered keys for encryption and/or decryption (e.g., asincluded in the stored information).

In some implementations, machine-revocation verifications may beperformed by verification component 112 to verify whether a particularmachine identifier (e.g., the machine identifier provided in aparticular request) corresponds to one of the machine identifiers in theset of revoked keys for encryption and/or decryption (e.g., as includedin the stored information).

In some implementations, assignment verifications may be performed byverification component 112 to verify whether a particular authorizationcredential (e.g., the authorization credential associated with aclient-provided hardware identifier and a client-provided machineidentifier in a particular request) corresponds to one of theauthorization credentials in the set of assigned authorizationcredentials (e.g., as included in the stored information).

In some implementations, authorization credential-revocationverifications may be performed by verification component 112 to verifywhether a particular authorization credential (e.g., the authorizationcredential associated with a client-provided hardware identifier and aclient-provided machine identifier in a particular request) correspondsto one of the authorization credentials in the set of revokedauthorization credentials (e.g., as may be included in the storedinformation). In some implementations, authorizationcredential-revocation verifications may be performed by verificationcomponent 112 to verify whether a particular authorization credential(e.g., the authorization credential associated with a client-providedhardware identifier and a client-provided machine identifier in aparticular request) corresponds to one of the authorization credentialsin a set of authorization credentials that are no longer assigned (orauthorized) for access and/or use of a particular software-controlledapplication.

In some implementations, expiration verifications may be performed byverification component 112 to verify whether particular authorizationcredentials and/or JWTs have expired. In some implementations,expiration may be based on individual expiration dates that areassociated with individual authorization credentials. Expiration datesmay be included in the stored information. In some implementations,expiration may be based on individual expiration dates that areassociated with individual JWTs. For example, expiration dates may beincluded in the payload of a client-provided JWT.

In some implementations, authorization credential-availabilityverifications may be performed by verification component 112 to verifywhether the set of available authorization credentials includes anindividual available authorization credential (e.g., that is currentlyavailable, or that is available in view of certain context such asidentifiers and/or other information). For example, in someimplementations, an authorization credential may be available providedthat it is unassigned, unrevoked, and available to be assigned to aparticular user. In some implementations, availability may be determinedin view of an authorization credential pool. For example, a particulargroup of users may use an authorization credential pool that includes aparticular number of authorization credentials such that there may onlybe an available authorization credential if less than the number ofauthorization credentials in the pool is currently assigned to the groupof users that use the authorization credential pool.

In some implementations, token-validation verifications may be performedby verification component 112 to verify whether a particularclient-provided JWT is valid (e.g., the client-provided JWT in a userrequest for continued access and/or use of a particularsoftware-controlled application). For example, token-validationverification may include verifying whether the individual signature ofan individual JWT is correct and validates the individual JWT.

In some implementations, particular verifications may be performed inresponse to (or subsequent to) one or more other verifications. Forexample, the assignment verification may be performed responsive to thetoken-validation verification verifying that the client-provided JWT isvalid. For example, the expiration verification may be performedresponsive to the assignment verification verifying a particularauthorization credential corresponds to one of the set of assignedauthorization credentials, wherein the particular authorizationcredential is associated with both the client-provided hardwareidentifier and the client-provided machine identifier. For example, themachine-revocation verification may be performed responsive to theexpiration verification verifying the particular authorizationcredential has not expired. These examples are not intended to belimiting.

Registration component 114 may be configured to register one or more ofa specific user (or user identifier), a specific client computingplatform (or hardware identifier), a specific public key (or machineidentifier), and/or other information. In some implementations,registration may include adding particular information to a particularset, table, database, and/or other type of stored information. Forexample, registration of particular hardware information may includeadding the particular hardware information to the set of registeredhardware information (e.g., as may be included in the storedinformation). For example, registration of particular machineinformation may include adding the particular machine information to theset of registered key information (e.g., as may be included in thestored information). In some implementations, registrations byregistration component 114 may be performed in response to (orsubsequent to) one or more verifications by verification component 112,or other actions by system 100. For example, responsive to themachine-identifier verification failing to verify that the machineidentifier in a particular request corresponds to one of the set ofregistered keys for encryption and/or decryption, registration component114 may be configured to register the machine identifier.

Assignment component 116 may be configured to assign a specificauthorization credential (e.g., an individual available authorizationcredential) to a specific user and a specific client computing platform.In some implementations, assignment of an authorization credential maybe specific to a machine identifier. In some implementations, assignmentmay include adding particular information to a particular set, table,database, and/or other type of stored information. For example,assignment of a particular authorization credential may include addingthe particular authorization credential (and/or information regardingthe particular authorization credential) to the set of assignedauthorization credentials (e.g., as may be included in the storedinformation). In some implementations, assignments by assignmentcomponent 116 may be performed in response to (or subsequent to) one ormore verifications by verification component 112, or other actions bysystem 100. For example, responsive to the authorizationcredential-availability verification verifying that the set of availableauthorization credentials includes an individual available authorizationcredential, assignment component 116 may be configured to assign theindividual available authorization credential to the user such that theset of assigned authorization credentials includes the individualavailable authorization credential. In some implementations, assignmentof a particular authorization credential includes associating theparticular authorization credential with a particular hardwareidentifier and a particular machine identifier, such that the particularhardware identifier is associated with the particular machine identifierand vice versa. In some implementations, upon an authorizationcredential being newly assigned to a particular user by assignmentcomponent 116, a new JWT may be created (e.g., by token component 117)and provided (e.g., by response component 118 and/or another componentof system 100) to this particular user. This particular user may usethis new JWT for requests for continued access and/or use of aparticular software-controlled application.

Token component 117 may be configured to create and/or renew JWTs. Tokencreation may include combining different types of information, includingbut not limited to one or more of a user identifier, a hardwareidentifier, a machine identifier, a public key, permission information,an expiration date, a selection for an algorithm to be used to generatea digital signature, and/or other information. In some implementations,token creation may include encoding of one or more of the differenttypes of information. For example, JWTs may use encoding that is thesame as or similar to base64 encoding. In some implementations, tokencreation may include encryption of one or more of the different types ofinformation. For example, JWTs may use encryption that is the same as orsimilar to SHA-256 and/or HMAC. In some implementations, renewal of atoken may include reusing the same information as another JWT, but witha different expiration date that is later than the original expirationdate in the other JWT. In some cases, system 100 may respond to everyuser request (that passes the different types of verifications byverification component 112) by providing a renewed JWT, such that anindividual JWT will only be used once to request continued access and/oruse of the particular software-controlled application. In these cases,system 100 may verify that a client-provided JWT has not been providedpreviously. In other words, a JWT cannot be replayed in such a case. Inother cases, system 100 may respond to only some user requests (thatpasses the different types of verifications by verification component112) by providing a renewed JWT, for example when expiration isimminent.

Response component 118 may be configured to transfer responses torequests, including login requests and user requests. In someimplementations, individual responses may include JWTs (e.g., providedto the user that made the request). Alternatively, and/orsimultaneously, individual responses may include individual standardHyperText Transfer Protocol (HTTP) status codes. In particular,responses may conform to the HTTP application layer protocol. Forexample, an individual standard HTTP status code may be “200”, “201”,“401”, “402”, “403”, “404”, “410”, and/or other standard HTTP statuscodes. For example, a “200” status code may indicate a request has beenaccepted. For example, a “201” status code may indicate a request hasbeen accepted, and a new resource has been created in the process. Forexample, a “401” status code may indicate the request has not beenaccepted due to some (client) error. For example, a “402” status codemay indicate the request has not been accepted due to some (client)error that requires a payment. For example, a “403” status code mayindicate the request has not been accepted due to some (client) errorthat represents the client has no access, or no longer has access. Forexample, a “410” status code may indicate the request has not beenaccepted due to some (client) error that represents a removal orrevocation of rights. In some implementations, individual responses mayinclude or use so-called “raw sockets”. In some implementations,individual responses may conform to Quick UDP Internet Connections(QUIC). Other protocols and formats are considered within the scope ofthis disclosure. In some implementations, responses by responsecomponent 118 may be performed in response to (or subsequent to) one ormore verifications by verification component 112, registrations byregistration component 114, assignments by assignment component 116,token creations (or renewals) by token component 117, or other actionsby system 100.

Referring to FIG. 1 , de-registration component 120 may be configured tode-register a particular hardware identifier, e.g., by removing theparticular hardware identifier from the set of registered clientcomputing platforms. In some implementations, de-registration component120 may be configured to move a previously assigned authorizationcredential. For example, an authorization credential may be moved fromone client computing platform to another client computing platform. Insome implementations, de-registration component 120 may be configured tore-assign a previously assigned authorization credential to anothercombination of client computing platform (or hardware identifier) and/orpublic key (or machine identifier). For example, a re-assignment may beaccomplished by modifying at least one of the set of registered clientcomputing platforms, the set of registered keys for encryption and/ordecryption, the set of assigned authorization credentials, and/or theset of revoked authorization credentials.

Recording component 123 may be configured to store information inelectronic storage 130 a. The stored information may include one or moreJWTs received from authentication and authorization platform 105,timestamps (e.g., when a JWT has been received, when particularresponses are received, or when other events occurred), and/or otherinformation. In some implementations, the stored information may includea hardware identifier, a machine identifier, and/or other informationthat is specific to a user and/or a device.

Referring to FIG. 1 , login component 122 may be configured to receiveuser input (from users 127) on client computing platforms 104. Forexample, the user input may represent a particular (login) request, by aparticular user, to access and/or use a particular software-controlledapplication. Login component 122 may be configured to provide requeststo authentication and authorization platform 105 (and, in particular, torequest component 110). Responses from authentication and authorizationplatform 105 (and, in particular, from response component 118) may beprovided to client computing platforms 104 (and, in particular, to logincomponent 122). In some implementations, user input received by logincomponent 122 may include a user identifier, a password, and/or otherinformation. In some implementations, login component 122 may beconfigured to add certain information to the received user input to formrequests, including but not limited to a hardware identifier, a machineidentifier, and/or other information. For example, this information maybe available locally on the particular client computing platform 104. Insome implementations, login component 122 may (regularly and/or atrecurring intervals) automatically provide (e.g., to authentication andauthorization platform 105) user requests that request continued accessand/or use of the particular software-controlled application. These userrequests may include the JWT that is locally stored in electronicstorage 130 a. These intervals may be an hour, a day, a week, 2 weeks, amonth, and/or another duration. Certain responses received fromauthentication and authorization platform 105 may prompt recordingcomponent 123 to record and/or store a new timestamp, which may resetthe predetermined grace period.

Referring to FIG. 1 , interface component 124 may be configured togenerate, effectuate, and/or present user interfaces 125 on clientcomputing platforms 104 to users. For example, interface component 124may be configured to present a particular user interface 125 on aparticular client computing platform 104 to a particular user. Forexample, particular user interface 125 may include one or more portionsor sections. The one or more portions and/or sections may include afirst portion, a second portion, a third portion, a fourth portion, andso forth. In some implementations, a portion of a particular userinterface 125 may enable a user to enter and/or select informationand/or actions, including but not limited to a particular useridentifier, a particular password, and a graphical user interfaceelement to transfer a user request to authentication and authorizationplatform 105. In some implementations, a portion of particular userinterface 125 may be used to present a response to the user (e.g., fromresponse component 118).

Access component 126 may be configured to provide or deny access tosoftware-controlled applications. For example, assume that a particularuser is using a particular client computing platform to (try to) accessa particular software-controlled application. Upon acceptance of aparticular request from the particular user (such that a particularauthorization credential is assigned or has been assigned to theparticular user) access component 126 may enable the particular user touse the particular software-controlled application. In someimplementations, the particular software-controlled application may beexecuted locally, on the particular client computing platform that isassociated with and/or being used by the particular user. In someimplementations, the particular software-controlled application may beexecuted on a server (e.g., on authentication and authorization platform105 or on external resources 138), such that pertinent informationregarding the particular software-controlled application is madeavailable and/or otherwise presented on the particular client computingplatform that is associated with and/or being used by the particularuser. Based on the particular responses from authentication andauthorization platform 105, continued access and/or use of theparticular software-controlled application may be either provided (orapproved) or denied.

Timing component 128 may be configured to determine amounts of elapsedtime. In some implementations, timing component 128 may determine anamount of elapsed time between the most recently stored timestamp (e.g.,when a new JWT or a particular response was received from authenticationand authorization platform 105) and a particular moment in time. Theparticular moment in time could be the current time. The particularmoment in time could be the moment a particular response was received,e.g., with a particular standard HTTP status code. For example, theparticular moment could be the moment a standard HTTP status code of“402” was received. Timing component 128 may be configured to compareamounts of elapsed time (as previously determined) with a thresholdduration referred to as a predetermined grace period. In some cases, thepredetermined grace period may be 1 day, 1 week, 1 month, and/or anotherduration. Access component 126 may deny continued access to theparticular software-controlled application responsive to the amount ofelapsed time exceeding the predetermined grace period. In other words,once a user is no longer entitled to access to the particularsoftware-controlled application (due to the expiration date passing),the predetermined grace period allows continued access for a limitedtime (i.e., for the predetermined grace period) until continued accesswill be denied. During that period, the user can remedy the passing ofthe expiration date, e.g., by purchasing extended access to theparticular software-controlled application, or by otherwise renewing theuser's authorization credential to the particular software-controlledapplication. For example, a user request after renewal of theauthorization credential would return a particular response (e.g., astandard HTTP status code of 200 and/or 201), which would causerecording component 123 to store a new timestamp, thus resetting thepredetermined grace period. In some implementations, the time betweenindividual ones of the recurring intervals (when login component 122automatically provides user requests to authentication and authorizationplatform 105) may be shorter than the predetermined grace period.

By way of non-limiting example, FIG. 3 illustrates an exemplary flowchart 300 as may be used in system 100 (in particular, by authenticationand authorization platform 105). Flow chart 300 may start attoken-validation verification 112 a, and further include some or all ofthe following other types of verification, which may be linked togetheras depicted in FIG. 3 : assignment verification 112 b, expirationverification 112 c, and machine-revocation verification 112 d. Based onthe results of these different types of verifications, flow chart 300may perform some or all of the following actions: provide a response(e.g., first response 118 a, second response 18 b, third response 118 c,fourth response 118 d, or fifth response 118 e), and tokencreation/renewal 117 a. Individual responses may include individualstandard HTTP status codes. For example, first response 118 a mayindicate a user request cannot be fulfilled due to error. For example,second response 118 b may indicate a user request cannot be fulfilleddue to error. For example, third response 118 c may indicate a userrequest cannot be fulfilled due to error. For example, fourth response118 d may indicate a user request cannot be fulfilled due to error. Forexample, fifth response 118 e may indicate a user request has beenaccepted for continued access and/or use of the particularsoftware-controlled application.

By way of non-limiting example, FIG. 4 illustrates an exemplary flowchart 400 as may be used in system 100 (in particular, by authenticationand authorization platform 105). Flow chart 400 may start at a steplabeled “Store Information” 108 a (which stores information in anelectronic storage regarding identifiers, authorization credentials, andJWTs as described in this disclosure), upon which a step labeled“Provide JWTs” 117 x may be based (which provides individual JWTs 440 toindividual users, outside of flowchart 400, e.g., upon assigning anauthorization credential to the individual users, though this assignmentis not depicted in FIG. 4 ). Flow chart 400 may include a step labeled“User request” 110 a, where a user provides a user request to requestcontinued access and/or use of a particular software-controlledapplication. Flow chart 400 may subsequently include some or all of thefollowing other types of verification, which may be organized asdepicted in FIG. 4 under a step labeled “Different types ofverifications” 112 x: token-validation verification 112 a, assignmentverification 112 b, expiration verification 112 c, andmachine-revocation verification 112 d. Based on the results of thesedifferent types of verifications, flow chart 400 may perform some or allof the following actions: provide “One or more Responses” 118 x, and“Token Creation/Renewal” 117 a. Individual responses may includeindividual standard HTTP status codes. In some cases, a response mayinclude a JWT.

By way of non-limiting example, FIG. 5 illustrates an exemplary flowchart 500 as may be used in system 100 (in particular, by a particularclient computing platform 104). Flow chart 500 may start at a steplabeled “User request” 122 a, where the user of the particular clientcomputing platform 104 provides a user request, via a transfer ofinformation 550, to request continued access and/or use of a particularsoftware-controlled application. This user request includes the locallystored JWT (stored in step 123 a, labeled “Store JWT”), and is provided,via transfer of information 550, to authentication and authorizationplatform 105 (not depicted). In response, authentication andauthorization platform 105 (not depicted) provides one or moreresponses, as indicated by step 118 x. Subsequently, flow chart 500includes a step labeled “Process Response(s)” 122 x. Based on theparticular response received, flow chart 500 may continue at a steplabeled “Deny Request” 126 a (by providing particular information 551 tothe user, e.g., regarding the reason a user request is being denied),which means the user will no longer have access to the particularsoftware-controlled application. Alternatively, flow chart 500 maycontinue at a step labeled “Accept Request” 126 b, which means the usermay continue using the particular software-controlled application (byproviding particular information 552 to the user, e.g., regarding thereason a user request is accepted and/or from the particularsoftware-controlled application). Alternatively, flow chart 500 maycontinue at a step labeled “Grace Period” 128 a, which means the user isallowed continued access for a limited time (i.e., for the predeterminedgrace period) until access will be denied, unless the user remedies thepassing of the expiration date. In some cases, flow chart 500 mayreturn, after allowing the user continued access to start anew (e.g.,after a recurring interval has passed), either by step 123 a or step 122a.

By way of non-limiting example, FIG. 6 illustrates an exemplary userinterface 600 as may be present to a user on a particular clientcomputing platform. User interface 600 may include graphical userinterface elements 61 a and 61 b that are configured for a user to enterand/or select information. For example, element 61 a may be used toenter a user identifier and element 61 b may be used to enter apassword. User interface 600 may include an action button 62 labeled“Request Access”. Upon selection and/or engagement of action button 62,user interface 600 may initiate and/or otherwise provide a particularrequest to authentication and authorization platform 105. A firstrequest may be a login request to a particular software-controlledapplication, based on the entered user identifier and password.Subsequent (automated) requests may be requests for continued accessand/or use of the particular software-controlled application, based on alocally (i.e., on the particular client computing platform) stored JWT.User interface 600 may include graphical user interface element 61 c,labeled “Information for User”, which may be used by the system toprovide information to the user, including but not limited to feedback,comments, or prompts. For example, a client-side application mayinterpret responses from authentication and authorization platform 105(including but not limited to standard HTTP status codes) and provideinformation to the user, through graphical user interface element 61 c,that is based on the responses from authentication and authorizationplatform 105. For example, responsive to a particular request forcontinued access and/or use of the particular software-controlledapplication being denied, graphical user interface element 61 c mayprovide an explanation or reason why the particular request is deniedand/or information about how to remedy the issue so that access and/oruse may be resumed. User interface 600 may include graphical userinterface element 61 d, labeled “Software-controlled application”, whichmay be used by the system to provide (continued) access to theparticular software-controlled application as requested by the user, andwhich may be used to deny access if the request is denied.

In some implementations, authentication and authorization platform(s)105, server(s) 102, client computing platform(s) 104, and/or externalresources 138 may be operatively linked via one or more electroniccommunication links. For example, such electronic communication linksmay be established, at least in part, via one or more networks 13 suchas the Internet and/or other networks. It will be appreciated that thisis not intended to be limiting, and that the scope of this disclosureincludes implementations in which components may be operatively linkedvia some other communication media.

A given client computing platform 104 may include one or more processorsconfigured to execute computer program components. The computer programcomponents may be configured to enable an expert or user associated withthe given client computing platform 104 to interface with system 100and/or external resources 138, and/or provide other functionalityattributed herein to client computing platform(s) 104. By way ofnon-limiting example, the given client computing platform 104 mayinclude one or more of a desktop computer, a laptop computer, a handheldcomputer, a tablet computing platform, a NetBook, a Smartphone, a gamingconsole, and/or other computing platforms.

User interfaces 125 may be configured to facilitate interaction betweenusers and system 100 and/or between users and client computing platforms104. For example, user interfaces 125 may provide an interface throughwhich users may provide information to and/or receive information fromsystem 100. In some implementations, user interface 125 may include oneor more of a display screen, touchscreen, monitor, a keyboard, buttons,switches, knobs, levers, mouse, microphones, sensors to capture voicecommands, sensors to capture eye movement and/or body movement, sensorsto capture hand and/or finger gestures, sensors to capture facialcharacteristics, biometric sensors, and/or other user interface devicesconfigured to receive and/or convey user input and/or information from auser. In some implementations, user interface 125 may be configured tosupport face recognition, iris recognition, RFID implants, and/or otherpersonalization technologies. In some implementations, one or more userinterfaces 125 may be included in one or more client computing platforms104. In some implementations, one or more user interfaces 125 may beincluded in system 100.

External resources 138 may include sources of information outside ofsystem 100, external entities participating with system 100, and/orother resources. In some implementations, external resources 138 mayinclude a provider of information which may be used by system 100. Insome implementations, external resources 138 may include a provider ofparticular software-controlled applications which may be made availableto users through system 100. In some implementations, some or all of thefunctionality attributed herein to external resources 138 may beprovided by resources included in system 100.

Server(s) 102 may include electronic storage 130, one or more processors132, and/or other components. Server(s) 102 may include communicationlines, or ports to enable the exchange of information with a networkand/or other computing platforms. Illustration of server(s) 102 in FIG.1 is not intended to be limiting. Server(s) 102 may include a pluralityof hardware, software, and/or firmware components operating together toprovide the functionality attributed herein to server(s) 102. Forexample, server(s) 102 may be implemented by a cloud of computingplatforms operating together as server(s) 102. In some implementations,some or all of the functionality attributed herein to server 102 and/orsystem 100 may be provided by resources included in one or more clientcomputing platform(s) 104.

Electronic storage 130 may comprise non-transitory storage media thatelectronically stores information. The electronic storage media ofelectronic storage 130 may include one or both of system storage that isprovided integrally (i.e., substantially non-removable) with server(s)102 and/or removable storage that is removably connectable or capable ofbeing coupled operationally to server(s) 102 via, for example, a port(e.g., a USB port, a firewire port, etc.) or a drive (e.g., a diskdrive, etc.) or networked storage (e.g., network-attached storage (NAS),storage area network (SAN), etc.). Electronic storage 130 may includeone or more of optically readable storage media (e.g., optical disks,etc.), magnetically readable storage media (e.g., magnetic tape,magnetic hard drive, floppy drive, etc.), electrical charge-basedstorage media (e.g., EEPROM, RAM, etc.), solid-state storage media(e.g., flash drive, etc.), and/or other electronically readable storagemedia. Electronic storage 130 may include one or more virtual storageresources (e.g., cloud storage, a virtual private network, and/or othervirtual storage resources). Electronic storage 130 may store softwarealgorithms, information determined by processor(s) 132, informationreceived from server(s) 102, information received from client computingplatform(s) 104, and/or other information that enables server(s) 102 tofunction as described herein.

Processor(s) 132 may be configured to provide information processingcapabilities in server(s) 102. As such, processor(s) 132 may include oneor more of a digital processor, an analog processor, a digital circuitdesigned to process information, an analog circuit designed to processinformation, a state machine, and/or other mechanisms for electronicallyprocessing information, whether local or remote, or both. Althoughprocessor(s) 132 is shown in FIG. 1 as a single entity, this is forillustrative purposes only. In some implementations, processor(s) 132may include a plurality of processing units. These processing units maybe physically located within the same device, or processor(s) 132 mayrepresent processing functionality of a plurality of devices operatingin coordination. Processor(s) 132 may be configured to executecomponents 108, 110, 111, 112, 114, 116, 117, 118, 120, 122, 123, 124,126, and/or 128, and/or other components. Processor(s) 132 may beconfigured to execute components 108, 110, 111, 112, 114, 116, 117, 118,120, 122, 123, 124, 126, and/or 128, and/or other components bysoftware; hardware; firmware; some combination of software, hardware,and/or firmware; and/or other mechanisms for configuring processingcapabilities on processor(s) 132. As used herein, the term “component”may refer to any component or set of components that perform thefunctionality attributed to the component. This may include one or morephysical processors during execution of processor readable instructions,the processor readable instructions, circuitry, hardware, storage media,or any other components.

It should be appreciated that although components 108, 110, 111, 112,114, 116, 117, 118, 120, 122, 123, 124, 126, and/or 128 are illustratedin FIG. 1 as being implemented within a single processing unit, inimplementations in which processor(s) 132 includes multiple processingunits, one or more of components 108, 110, 111, 112, 114, 116, 117, 118,120, 122, 123, 124, 126, and/or 128 may be implemented remotely from theother components. The description of the functionality provided by thedifferent components 108, 110, 111, 112, 114, 116, 117, 118, 120, 122,123, 124, 126, and/or 128 described below is for illustrative purposes,and is not intended to be limiting, as any of components 108, 110, 111,112, 114, 116, 117, 118, 120, 122, 123, 124, 126, and/or 128 may providemore or less functionality than is described. For example, one or moreof components 108, 110, 111, 112, 114, 116, 117, 118, 120, 122, 123,124, 126, and/or 128 may be eliminated, and some or all of itsfunctionality may be provided by other ones of components 108, 110, 111,112, 114, 116, 117, 118, 120, 122, 123, 124, 126, and/or 128. As anotherexample, processor(s) 132 may be configured to execute one or moreadditional components that may perform some or all of the functionalityattributed below to one of components 108, 110, 111, 112, 114, 116, 117,118, 120, 122, 123, 124, 126, and/or 128.

FIG. 2 illustrates a method 200 for using JavaScript Object Notation(JSON) Web Tokens for information security for a particularsoftware-controlled application, in accordance with one or moreimplementations. The operations of method 200 presented below areintended to be illustrative. In some implementations, method 200 may beaccomplished with one or more additional operations not described,and/or without one or more of the operations discussed. Additionally,the order in which the operations of method 200 are illustrated in FIG.2 and described below is not intended to be limiting.

In some implementations, method 200 may be implemented in one or moreprocessing devices (e.g., a digital processor, an analog processor, adigital circuit designed to process information, an analog circuitdesigned to process information, a state machine, and/or othermechanisms for electronically processing information). The one or moreprocessing devices may include one or more devices executing some or allof the operations of method 200 in response to instructions storedelectronically on an electronic storage medium. The one or moreprocessing devices may include one or more devices configured throughhardware, firmware, and/or software to be specifically designed forexecution of one or more of the operations of method 200.

At an operation 202, information is stored electronically. The storedinformation includes one or more of (i) user information that identifiesa set of authorized users that are authorized to access and/or use theparticular software-controlled application, (ii) registered hardwareinformation that identifies a set of registered client computingplatforms that have been registered to access and/or use the particularsoftware-controlled application, (iii) registered key information thatidentifies a set of registered keys for encryption and/or decryptionthat have been registered to access and/or use the particularsoftware-controlled application, (iv) revoked key information thatidentifies a set of revoked keys for encryption and/or decryption thatare no longer registered to access and/or use the particularsoftware-controlled application, (v) assigned permission informationthat identifies a set of assigned authorization credentials that havebeen assigned to specific users and specific client computing platforms,wherein individual ones of the set of authorization credentials areassociated with individual expiration dates, and (vi) revoked permissioninformation that identifies a set of revoked authorization credentialsthat are no longer assigned for access and/or use the particularsoftware-controlled application. In some embodiments, operation 202 isperformed by a storage component the same as or similar to storagecomponent 108 (shown in FIG. 1 and described herein).

At an operation 204, responsive to receiving, from individual users,login requests that include individual user identifiers, individualhardware identifiers, and individual machine identifiers, the individualhardware identifiers are registered, the individual machine identifiersare registered, individual available authorization credentials areassigned to the individual users, and, to the individual users,individual JWTs are provided that include individual expiration dates.The individual JWTs grant temporary access and/or use of the particularsoftware-controlled application. In some embodiments, operation 204 isperformed by a token component the same as or similar to token component117 (shown in FIG. 1 and described herein).

At an operation 206, a user request is received, from a user associatedwith a client computing platform, for continued access and/or use of theparticular software-controlled application. The user request includes(i) a client-provided JWT. The client-provided JWT includes a payload.The payload includes a client-provided expiration date. The user requestfurther includes (ii) a client-provided hardware identifier thatidentifies the client computing platform, and (iii) a client-providedmachine identifier that identifies a public key. In some embodiments,operation 206 is performed by a request component the same as or similarto request component 110 (shown in FIG. 1 and described herein).

At an operation 208, a token-validation verification is performed thatverifies whether the client-provided JWT in the user request is valid.In some embodiments, operation 208 is performed by a verificationcomponent the same as or similar to verification component 112 (shown inFIG. 1 and described herein).

At an operation 210, the client-provided hardware identifier isextracted, from either the user request or the client-provided JWT, asis the client-provided machine identifier and the client-providedexpiration date. In some embodiments, operation 210 is performed by anextraction component the same as or similar to extraction component 111(shown in FIG. 1 and described herein).

At an operation 212, an assignment verification is performed thatverifies whether a particular authorization credential corresponds toone of the set of assigned authorization credentials. The particularauthorization credential is associated with both the client-providedhardware identifier and the client-provided machine identifier. In someembodiments, operation 212 is performed by a verification component thesame as or similar to verification component 112 (shown in FIG. 1 anddescribed herein).

At an operation 214, an expiration verification is performed thatverifies whether the particular authorization credential has expired. Insome embodiments, operation 214 is performed by a verification componentthe same as or similar to verification component 112 (shown in FIG. 1and described herein).

At an operation 216, a machine-revocation verification is performed thatverifies whether the client-provided machine identifier corresponds toone of the set of revoked keys for encryption and/or decryption. In someembodiments, operation 216 is performed by a verification component thesame as or similar to verification component 112 (shown in FIG. 1 anddescribed herein).

At an operation 218, responsive to the machine-revocation verificationverifying that the client-provided machine identifier corresponds to oneof the set of revoked keys for encryption and/or decryption, a firstresponse is transferred in response to the user request. The firstresponse includes a first standard HTTP status code that indicates theuser request cannot be fulfilled due to error. In some embodiments,operation 218 is performed by a response component the same as orsimilar to response component 118 (shown in FIG. 1 and describedherein).

At an operation 220, responsive to the machine-revocation verificationverifying that the client-provided machine identifier does notcorrespond to one of the set of revoked keys for encryption and/ordecryption, (i) a renewed JWT is created that includes a renewedexpiration date that is later than the client-provided expiration date,and (ii) the renewed JWT is provided in response to user request, and apositive response is transferred to the user request. The positiveresponse includes a standard HTTP status code that indicates the userrequest has been accepted for continued access and/or use of theparticular software-controlled application. In some embodiments,operation 220 is performed by a token component and a response componentthe same as or similar to token component 117 and response component 118(shown in FIG. 1 and described herein).

Although the present technology has been described in detail for thepurpose of illustration based on what is currently considered to be themost practical and preferred implementations, it is to be understoodthat such detail is solely for that purpose and that the technology isnot limited to the disclosed implementations, but, on the contrary, isintended to cover modifications and equivalent arrangements that arewithin the spirit and scope of the appended claims. For example, it isto be understood that the present technology contemplates that, to theextent possible, one or more features of any implementation can becombined with one or more features of any other implementation.

What is claimed is:
 1. A system configured for using JavaScript ObjectNotation (JSON) Web Tokens for information security for asoftware-controlled application, the system comprising: electronicstorage configured to store information electronically, wherein thestored information includes: (i) registered key information thatidentifies a set of registered keys for encryption and/or decryptionthat have been registered to access and/or use the software-controlledapplication, (ii) revoked key information that identifies a set ofrevoked keys for encryption and/or decryption that are no longerregistered to access and/or use the software-controlled application dueto being revoked, (iii) user information that identifies a set ofauthorized users that are authorized to access and/or use thesoftware-controlled application, (iv) registered hardware informationthat identifies a set of registered client computing platforms that havebeen registered to access and/or use the software-controlledapplication, (v) assigned permission information that identifies a setof assigned authorization credentials that have been assigned tospecific users and specific client computing platforms, whereinindividual ones of the set of authorization credentials are associatedwith individual expiration dates, (vi) revoked permission informationthat identifies a set of revoked authorization credentials that are nolonger assigned for access and/or use of the software-controlledapplication due to being revoked; and one or more hardware processorsconfigured by machine-readable instructions to: responsive to receiving,from individual users, login requests that include individual useridentifiers, individual hardware identifiers, and individual machineidentifiers, registering the individual hardware identifiers, registerthe individual machine identifiers, assign individual availableauthorization credentials to the individual users, and provide, to theindividual users individual JWTs that include individual expirationdates, wherein the individual JWTs grant temporary access and/or use ofthe software-controlled application; receive, from a user associatedwith a client computing platform, a user request for continued accessand/or use of the software-controlled application, wherein the userrequest includes: (i) a client-provided JWT, wherein the client-providedJWT includes a payload, wherein the payload includes a client-providedexpiration date, (ii) a client-provided hardware identifier thatidentifies the client computing platform, and (iii) a client-providedmachine identifier that identifies a public key; perform atoken-validation verification that verifies whether the client-providedJWT in the user request is valid; extract, from either the user requestor the client-provided JWT, the client-provided hardware identifier, theclient-provided machine identifier, and the client-provided expirationdate; perform an assignment verification that verifies whether anauthorization credential corresponds to one of the set of assignedauthorization credentials, wherein the authorization credential isassociated with both the client-provided hardware identifier and theclient-provided machine identifier; perform an expiration verificationthat verifies whether the authorization credential has expired; performa machine-revocation verification that verifies whether theclient-provided machine identifier corresponds to one of the set ofrevoked keys for encryption and/or decryption due to being revoked;responsive to the machine-revocation verification verifying that theclient-provided machine identifier corresponds to one of the set ofrevoked keys for encryption and/or decryption due to being revoked,transfer a first response to the user request, wherein the firstresponse includes a first standard HTTP status code that indicates theuser request cannot be fulfilled due to error; and responsive to themachine-revocation verification verifying that the client-providedmachine identifier does not correspond to one of the set of revoked keysfor encryption and/or decryption due to being revoked: (i) create arenewed JWT that includes a renewed expiration date that is later thanthe client-provided expiration date; (ii) provide the renewed JWT inresponse to user request, and transfer a positive response to the userrequest, wherein the positive response includes a standard HTTP statuscode that indicates the user request has been accepted for continuedaccess and/or use of the software-controlled application.
 2. The systemof claim 1, wherein the user request further includes a client-provideduser identifier that identifies the user, wherein the hardwareidentifier is a MAC address, and wherein the public key is used forPublic Key Infrastructure (PKI).
 3. The system of claim 1, wherein theclient-provided hardware identifier and the client-provided machineidentifier are included in the payload of the client-provided JWT. 4.The system of claim 1, wherein, responsive to the token-validationverification verifying the client-provided JWT in the user request isnot valid, the one or more hardware processors are further configured totransfer a second response to the user request, wherein the secondresponse includes a second standard HTTP status code that indicates theuser request cannot be fulfilled due to error.
 5. The system of claim 4,wherein, responsive to the assignment verification verifying theauthorization credential does not correspond to one of the set ofassigned authorization credentials, the one or more hardware processorsare further configured to transfer a third response to the user request,wherein the third response includes a third standard HTTP status codethat indicates the user request cannot be fulfilled due to error.
 6. Thesystem of claim 5, wherein, responsive to the expiration verificationverifying the authorization credential has expired, the one or morehardware processors are further configured to transfer a fourth responseto the user request, wherein the fourth response includes a fourthstandard HTTP status code that indicates the user request cannot befulfilled due to error.
 7. The system of claim 6, wherein the firststandard HTTP status code is 410, wherein the second standard HTTPstatus code is 401, wherein the third standard HTTP status code is 403,and wherein the fourth standard HTTP status code is
 402. 8. The systemof claim 7, further comprising the client computing platform that isassociated with the user, wherein the client computing platform includeselectronic client storage and one or more processors configured bymachine-readable instructions to: responsive to receiving an individualJWT, store the individual JWT and a timestamp in the electronic clientstorage; transfer the user request for continued access and/or use ofthe software-controlled application, wherein the user request includesthe individual JWT; receive a response to the user request, wherein: (i)responsive to the response indicating the user request cannot befulfilled due to error, the one or more processors are configured todetermine an amount of elapsed time between a most recently storedtimestamp and a current time, and, responsive to the amount of elapsedtime exceeding a predetermined grace period, deny the continued accessand/or use of the software-controlled application, (ii) responsive tothe response indicating the user request has been accepted, the one ormore processors are configured to store a current timestamp in theelectronic client storage; and responsive to the response including therenewed JWT, store the renewed JWT in the electronic client storage. 9.The system of claim 8, wherein the response indicating the user requestcannot be fulfilled due to error is the fourth response using the fourthstandard HTTP status code of
 402. 10. The system of claim 8, whereintransferring the user request is performed at recurring intervals, andwherein the predetermined grace period is longer than the time betweenindividual ones of the recurring intervals.
 11. A method for usingJavaScript Object Notation (JSON) Web Tokens for information securityfor a software-controlled application, the method comprising: storinginformation electronically, wherein the stored information includes: (i)registered key information that identifies a set of registered keys forencryption and/or decryption that have been registered to access and/oruse the software-controlled application, (ii) revoked key informationthat identifies a set of revoked keys for encryption and/or decryptionthat are no longer registered to access and/or use thesoftware-controlled application due to being revoked, (iii) userinformation that identifies a set of authorized users that areauthorized to access and/or use the software-controlled application,(iv) registered hardware information that identifies a set of registeredclient computing platforms that have been registered to access and/oruse the software-controlled application, (v) assigned permissioninformation that identifies a set of assigned authorization credentialsthat have been assigned to specific users and specific client computingplatforms, wherein individual ones of the set of authorizationcredentials are associated with individual expiration dates, (vi)revoked permission information that identifies a set of revokedauthorization credentials that are no longer assigned for access and/oruse of the software-controlled application due to being revoked;responsive to receiving, from individual users, login requests thatinclude individual user identifiers, individual hardware identifiers,and individual machine identifiers, registering the individual hardwareidentifiers, registering the individual machine identifiers, assigningindividual available authorization credentials to the individual users,and providing, to the individual users individual JWTs that includeindividual expiration dates, wherein the individual JWTs grant temporaryaccess and/or use of the software-controlled application; receiving,from a user associated with a client computing platform, a user requestfor continued access and/or use of the software-controlled application,wherein the user request includes: (i) a client-provided JWT, whereinthe client-provided JWT includes a payload, wherein the payload includesa client-provided expiration date, (ii) a client-provided hardwareidentifier that identifies the client computing platform, and (iii) aclient-provided machine identifier that identifies a public key; performa token-validation verification that verifies whether theclient-provided JWT in the user request is valid; extracting, fromeither the user request or the client-provided JWT, the client-providedhardware identifier, the client-provided machine identifier, and theclient-provided expiration date; performing an assignment verificationthat verifies whether an authorization credential corresponds to one ofthe set of assigned authorization credentials, wherein the authorizationcredential is associated with both the client-provided hardwareidentifier and the client-provided machine identifier; performing anexpiration verification that verifies whether the authorizationcredential has expired; performing a machine-revocation verificationthat verifies whether the client-provided machine identifier correspondsto one of the set of revoked keys for encryption and/or decryption dueto being revoked; responsive to the machine-revocation verificationverifying that the client-provided machine identifier corresponds to oneof the set of revoked keys for encryption and/or decryption,transferring a first response to the user request, wherein the firstresponse includes a first standard HTTP status code that indicates theuser request cannot be fulfilled due to error; and responsive to themachine-revocation verification verifying that the client-providedmachine identifier does not correspond to one of the set of revoked keysfor encryption and/or decryption due to being revoked: (i) creating arenewed JWT that includes a renewed expiration date that is later thanthe client-provided expiration date, and (ii) providing the renewed JWTin response to user request, and transferring a positive response to theuser request, wherein the positive response includes a standard HTTPstatus code that indicates the user request has been accepted forcontinued access and/or use of the software-controlled application. 12.The method of claim 11, wherein the user request further includes aclient-provided user identifier that identifies the user, wherein thehardware identifier is a MAC address, and wherein the public key is usedfor Public Key Infrastructure (PKI).
 13. The method of claim 11, whereinthe client-provided hardware identifier and the client-provided machineidentifier are included in the payload of the client-provided JWT. 14.The method of claim 11, further comprising: responsive to thetoken-validation verification verifying the client-provided JWT in theuser request is not valid, transferring a second response to the userrequest, wherein the second response includes a second standard HTTPstatus code that indicates the user request cannot be fulfilled due toerror.
 15. The method of claim 14, further comprising: responsive to theassignment verification verifying the authorization credential does notcorrespond to one of the set of assigned authorization credentials,transferring a third response to the user request, wherein the thirdresponse includes a third standard HTTP status code that indicates theuser request cannot be fulfilled due to error.
 16. The method of claim15, further comprising: responsive to the expiration verificationverifying the authorization credential has expired, transferring afourth response to the user request, wherein the fourth responseincludes a fourth standard HTTP status code that indicates the userrequest cannot be fulfilled due to error.
 17. The method of claim 16,wherein the first standard HTTP status code is 410, wherein the secondstandard HTTP status code is 401, wherein the third standard HTTP statuscode is 403, and wherein the fourth standard HTTP status code is 402.18. The method of claim 17, further comprising: responsive to receivingan individual JWT, storing the individual JWT and a timestamp inelectronic client storage, wherein the electronic client storage isincluded in the client computing platform; transferring the user requestfor continued access and/or use of the software-controlled application,wherein the user request includes the individual JWT; receiving aresponse to the user request; responsive to the response indicating theuser request cannot be fulfilled due to error, determining an amount ofelapsed time between a most recently stored timestamp and a currenttime, and, responsive to the amount of elapsed time exceeding apredetermined grace period, denying the continued access and/or use ofthe software-controlled application; responsive to the responseindicating the user request has been accepted, storing a currenttimestamp in the electronic client storage; and responsive to theresponse including the renewed JWT, storing the renewed JWT in theelectronic client storage.
 19. The method of claim 18, wherein theresponse indicating the user request cannot be fulfilled due to error isthe fourth response using the fourth standard HTTP status code of 402.20. The method of claim 18, wherein transferring the user request isperformed at recurring intervals, and wherein the predetermined graceperiod is longer than the time between individual ones of the recurringintervals.